Using the Business Continuity Maturity Model To Gain Executive Approval Margaret Langsett, Executive Vice President, Virtual Corporation Manfred Heinzlreiter, CBCP, Managing Partner, BR- i.com June 20, 2006
Agenda Presentation Introduction Executive Buy-In History of BCMM BCMM Capabilities BCMM International Interest Q & A s 2
Executive Buy-In Investing in increasing revenue Planning for something that you HOPE never happens. Executives decide how to best utilize scare resources: $$$ + People Critical to their decision ROI 3
Executive Approval the Traditional Way Budget Phase: Annual Budget Cycle Project Plan Change Management Crunch Time: Which pot to take it from? What about competing priorities What ends up happening: The squeaking wheel gets the oil BCM is fast tracked (whatever that means) 4
Executive Approval the Traditional Way What are the typical means to secure funding? Reaction to potential threats Disasters Audit Legislation / Regulation Peer Pressure Supply Chain Shareholders Clients What are the typical answers? Not from my budget Sorry, the budget has been approved you have to find the money somewhere else No problem, as long as you stay within the budget That s someone else s problem 5
Alternate Approach Alternate Approach Establish a repeatable and consistent process to measure and demonstrate achievements Pro-actively apply those measures to Vendor selection/strategy/criteria Process (Re-)Engineering Establish competitive advantage Develop and demonstrate program improvement metrics Conduct Internal Audits Evaluate Business Partners and Supply Chain and SC Partners Assist Corporate Governance Align With Regulatory Requirements Obtain Executive Buy-In Support Program Design 6
Public Domain BCMM You have a vision but you can t do it alone. 7
Business Continuity Maturity Model Implement BC as a sustainable program Everyone should have a clue of their role in case of a disruption. Individual managers should have responsibility for recovering their department. 8
History of BCMM 2006 Licensed Assessors in 10 countries 2005 Active domestic and international Assessor licensing program 2004 Proprietary toolkit available for the first time First Assessor s training class 2001 Introduction article in CPM Formulation of BCMM Working Team 2000 CPM Baseline Survey Continued research 2003 Follow-up article in Disaster Resource Guide Pilot assessment workshop at Continuity Insights Public Domain BCMM finalized Numerous self -assessment workshops conducted BCMM public announcement, October 2002 DRII and BCI Professional Mapping Project initiated Corporate Competencies identified Business Continuity Program Content defined 1997 1999 Initial conversation & research 9
Why create a BC maturity model? The Business Continuity Maturity Model was developed to:! Answer the following questions for senior mgmt: 1. Where are we now? 2. Where do we ultimately want to be? 3. Where should we be next?! Achieve executive buy-in to implement and/or sustain a Business Continuity program 10
Why create a BC maturity model? The Business Continuity Maturity Model was developed to:! Generate consistent data from which meaningful benchmark analyses can be drawn: 1. Establish standard means of scoring BC program implementations 2. Develop historical databank tagged in meaningful ways, e.g., by industry, by region, by company size, etc. 3. Generate awareness that business continuity program effectiveness can be quantified 11
Why create a BC maturity model? The Business Continuity Maturity Model was developed to:! Provide a diagnostic tool for objective evaluation of BC program effectiveness 1. Generate consistent and repeatable measurements of the current state-ofpreparedness 2. Conduct accurate and reliable analyses to identify gaps in BC program implementation 3. Propose demonstrable and justifiable actions to maximize program effectiveness and resource utilization 12
What is Business Continuity? Business Continuity (BC)! Prevention and Preparedness " Identifying risks and threats, "Mitigating those exposures that can be eliminated, and "Providing contingency planning for those that cannot.! Response, Recovery, Restoration, and Resumption "Providing for the continuous operation of critical business functions under predefined circumstances. "Ensuring that, if interrupted, critical processes (and the resources on which they depend) are restored to predetermined levels of performance within tested recovery time frames. 13
What is a Business Continuity Program? Business Continuity Program! A proactive process identifying and prioritizing critical business functions and the likely threats to those functions.! From this information, plans and procedures are developed through a regular program of personnel training, plan testing and maintenance.! These management disciplines, processes and techniques provide business continuity of the critical business functions under the circumstances and within limits set by senior management.! These circumstances and limits include: "Defined scope and framework of a sustainable BC Program "Approved funding and staffing of the company's BC Program 14
Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2005 Modified U.S. DoD Graphic Normal Operations Incident Occurs Recovery Time Objective Return to Normal Operations Capability Emergency Response Recovery Restoration Acceptable Business Capability Time Proactive BCM Activities Reactive BCM Activities Proactive BCM Activities Prevention and Preparedness Risk Avoidance / Mitigation / Acceptance Response, Recovery & Restoration Prevention and Preparedness Risk Avoidance / Mitigation / Acceptance 15
Business Continuity / Disaster Recovery Context Incident Occurs Normal Operations Business Continuity Management 6 Plans - Working Together ** Mitigation Action Plan may allow organization to avoid disruption. ** Emergency Response and Damage Assessment Crisis Management Plan Activated Preparing for Recovery of Critical Operations Operating in Recovery Mode Copyright: Virtual Corporation, 1994 2005 Normal Operations Acceptable Business Capability Disaster Recovery Plan Activated Implement Restoration Plan Time Hour 0 Recovery Begins Recovery In Place Restoration Begins Back to Normal Emergency Response Plan Saves lives and protects assets Conduct damage assessment Site Emergency Operations Center (EOC) Crisis Management Plan Enterprise Crisis Management Center (ECMC) Multiple EOC Activations Command, Control and Communications Risk Mitigation Plan Business Recovery Plan Ensure that critical functions continue to be performed Departmental Recovery Plans Requires EOC communications and authorizations Disaster Recovery Plan Site Operations and Physical Infrastructure Ensure critical technical and operational infrastructure is available Alternate site recovery Restoration Plan Tasks to initiate mitigation action (s) Avoid or minimize disruption A plan to return to normal operations 16
Holistic Enterprise 17 IT Accounting Finance Sales Operations HR Facilities Holistic Enterprise
Shared Resources IT Services 18
What is the Business Continuity Maturity Model? Free assessment tool Provides standardized approach Consisting of:! Six Levels! Eight Corporate Competencies Global Availability Download at: virtual-corp.net 19
Business Continuity Maturity Model 20
Business Continuity Maturity Model Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Level 1 Self-Governed Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H Leadership The commitment and understanding demonstrated by executive management regarding the implementation of a scaled, enterprise-wide business continuity program. The degree to which the business case has been articulated and understood. 21
Business Continuity Maturity Model Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Level 1 Self-Governed Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H BC Awareness The breadth and depth of business continuity conceptual awareness throughout all staff levels of the organization. 22
Business Continuity Maturity Model Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Level 1 Self-Governed Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H BC Program Structure The scale and appropriateness of the business continuity program implemented across the enterprise. The degree to which the BC Program matches the articulated business case. 23
Business Continuity Maturity Model Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H Program Pervasiveness Level 1 Self-Governed Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed The level of business continuity coordination between departments, functions and business units. The degree to which business continuity considerations have been incorporated in other business initiatives / programs. 24
Business Continuity Maturity Model Increasing Business Continuity Competency Maturity Maturity Model Levels Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H Metrics Athlete Analogy Comparative Model The development and regular reporting of quantifiable criteria used to monitor the BC Program performance. The establishment of a baseline and on-going tracking of established business continuity competency goals. Level 1 Self-Governed Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed 25
Business Continuity Maturity Model Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H Resource Commitment Level 1 Self-Governed Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth The application of sufficient, properly trained and supported personnel, financial and other resources to ensure the sustainability of the BC Program. Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed 26
Business Continuity Maturity Model Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Level 1 Self-Governed Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H External Coordination Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed Coordination of business continuity issues and requirements with external community including customers, vendors, government regulatory bodies, unions, local 1 st responders. Insure that critical supply chain partners have in place adequate BC Programs of their own. 27
Core Competencies Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Level 1 Self-Governed Level 2 Supported Self-Governed Level 3 Centrally Governed Level 4 Enterprise Awakening Level 5 Planned Growth Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content VL L M H H H BC Program Content Business Continuity Disciplines The degree and quality of implementation of each of the four central disciplines of BC: 1. Incident Management 3. Business Recovery 2. Technology Recovery 4. Security Management 28
Four Core Business Continuity Disciplines Incident Management Technology Recovery Security Management Business Recovery Program Content 29
What is Business Continuity? The Four Central Disciplines Incident Management! All aspects of emergency response, crisis management, and any other activities involved in command, control, and communications during a disastrous event! The executive decision authorization and dissemination mechanism during crisis 30
What is Business Continuity? The Four Central Disciplines Security Management! Physical security, information security, and any other activities associated with protecting targeted information, personnel, and resources 31
What is Business Continuity? The Four Central Disciplines Disaster Recovery! Ensuring that all critical assets are recoverable within defined recovery time objectives! Includes all tangible asset on which critical process(es) depend, e.g.: "IT hardware, software, networks, applications "Boiler, electric power generator, water tower "Process control equipment, refrigeration equipment, HVAC "Paper bags, nuts and bolts "Phones, tables, chairs, desks "Etc. 32
What is Business Continuity? The Four Central Disciplines Business Recovery! Ensuring that all critical processes are recoverable within defined recovery time objectives! Includes all intangible assets on which critical processes depend, e.g.: "IT application data "Vital records (paper files, microfiche, etc.) "All intellectual property "Skill sets and expertise "Etc. 33
Business Continuity Maturity Model Sample Corporate Competency Grid General Characteristics Level 1 Level 2 Level 3 Level 4 Level 5 Level 6 Athlete Analogy Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Comparative Model Organization At Risk Competent Performer Best of Breed BC Program SELF-GOVERNED SUPPORTED SELF- CENTRALLY ENTERPRISE Structure GOVERNED GOVERNED AWAKENING PLANNED GROWTH SYNERGISTIC Key Concepts Strategy / Culture / Goals Definition: relevant to business goals & competitive environment Organizational Design Definition: explicit methods of company Unstructured, potentially counter productive No definition Self Defined Increasing understanding of BCM, common terminology in use. Dept/BU BCM activities in sync with relevant portions of enterprise strategy, culture and goals. Identification of key internal linkages and working agreements Awareness & adoption Integration Explicit vertical and horizontal integration A business case is established for BCM Identification of BCM critical functions and roles Mandatory BCM strategy review requirement in place and integrated into budget cycle Change management procedures with BCM coordinators in place at Dept/BU level Audit findings across enterprise begin to reflect more positive BCM response Enterprise BCM process is compatible with overall Enterprise business strategy BCM considered in development of enterprise business strategies Sustainability & survivability are principles of enterprise Prominence BCM and its relationship to available products and services has become a quantifiable and marketable competitive advantage. BCM is one of the drivers contributing to enterprise business strategy development. Management explores new technologies and innovative BCM solutions. Innovative processes piloted and incorporated into enterprise BCM program. Roles & Responsibilities Definition: who & what Undefined Dept/BU staff has responsibility for BCM. Overlapping roles may occur. Participating Dept/BUs have common BCM chain of command. Formal BCM linkages of responsibility and relationships defined and adhered Formal BCM linkages to performance goals and compensation Formal BCM linkages to performance goals and compensation Policies & Processes Definition: how (i.e. rules of operation) One or several Dept/BUs implemented a few self selected components of BCM Active Dept/BUs have formulated policies, standards & practices. No enterprise policy for BCM exists. Dept/BUs share common BCM policies, standards & practices. Business Continuity Charter published for participating Dept/BUs. Enforceable BCM policies, standards, & practices in effect across the enterprise Regular reviews of enterprise BCM policy, standards, and practices. Pro-active executive participation in development of new BCM policy 34
Executive Buy-In Investing in increasing revenue Planning for something that you HOPE never happens. Executives decide how to best utilize scare resources: $$$ + People Critical to their decision ROI 35
Applying the BCMM Executive Buy-In Self-Assessment Regulatory Compliance Evaluation Framework BCMM Supply Chain Vulnerability Program Design BC MM SM 36
Supports Governance Requirements BCMM provides a means to gauge and document the effectiveness of these processes and supports compliance to these regulatory requirements. BCMM provides a means to gauge the existence of organizational safeguards in the event of unanticipated threats or hazards.! Administrative! Technical! Physical BCMM provides a means to gauge and document an organization s BCM maturity level with regard to! Assessing the situation! Identifying risk! Communicating the plan! Continually improving upon the process 37
Supply Chain Suppliers and Vendors Manufacturer Strategic Partners Headquarters Branch Office Direct Marketing Telephone Infrastructure Web Infrastructure Transportation Distributors Overnight Delivery Database and Data Mining Retailers Customers 38
Evaluate Business and Supply Chain Partners Provides consistent measures across multiple enterprises Provides consistent, comparative data Can be used to improve awareness Functions as a valuable education tool Facilitates a value-added supplier environment Can be used as effective marketing tool May identify supply chain vulnerabilities BCMM 39
Vendor Selection Strategy Single source for cost control Multiple source for redundancy Service level agreements for recovery Vendor Selection Process Add clear deadlines Add specific goals Communicate the goals and deadlines to potential and existing vendors and suppliers 40
Testimonial Using The Business Continuity Maturity Model Testimonial Company Overview A full-service business-solutions provider that serves clients through three service lines: systems integration and software engineering, infrastructure services and product fulfillment. These areas offer clients a broad delivery capability to plan, design, build and operate IT solutions that span both corporate and operational systems, and to provide their infrastructure needs. Company has more than US $309 million in revenues and employs 2,300 employees. 41
Public Domain BCMM Testimonial This complementary assessment highlighted some valid BC initiatives, but more importantly, identified some gaps and deficiencies. Gaps and deficiencies that senior management did not see clearly at first. The maturity model was helpful in showing them where BC activities were rightfully implemented while also providing a better understanding of what was missing. The maturity model report gave them a roadmap for future growth in BC. BCMM In two cases, customers have taken the maturity model report that I generated as a roadmap to improving their existing BC planning activities. 42
BCMM Contents Description of each corporate competency Description of each level Characteristics of an organization within the level and competency. How to conduct a Self- Assessment 43
BCMM Self-Assessment Circle incomplete Descriptors at all Maturity Levels General Characteristics Level 1 Level 2 Level 3 Level 4 Level 5 Level 6 Athlete Analogy Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Comparative Model Organization At Risk Competent Performer Best of Breed BC Program SELF-GOVERNED SUPPORTED SELF- CENTRALLY ENTERPRISE Structure GOVERNED GOVERNED AWAKENING PLANNED GROWTH SYNERGISTIC Key Concepts Strategy / Culture / Goals Definition: relevant to business goals & competitive environment Excellence: "Impedance match" between S/C/G & BCP Organizational Design Definition: explicit methods of company Excellence: supports enterprise approach & is definitive Roles & Responsibilities Definition: who & what Excellence: accountability & clarity Unstructured, potentially counter productive No definition Self Defined Undefined Increasing understanding of BCM, common terminology in use. Dept/BU BCM activities in sync with relevant portions of enterprise strategy, culture and goals. Identification of key internal linkages and working agreements Dept/BU staff has responsibility for BCM. Overlapping roles may occur. Awareness & adoption Integration Explicit vertical and horizontal integration A business case is established for BCM Identification of BCM critical functions and roles Participating Dept/BUs have common BCM chain of command. Mandatory BCM strategy review requirement in place and integrated into budget cycle Change management procedures with BCM coordinators in place at Dept/BU level Audit findings across enterprise begin to reflect more positive BCM response Enterprise BCM process is compatible with overall Enterprise business strategy Formal BCM linkages of responsibility and relationships defined and adhered BCM considered in development of enterprise business strategies Sustainability & survivability are principles of enterprise Formal BCM linkages to performance goals and compensation Prominence BCM and its relationship to available products and services has become a quantifiable and marketable competitive advantage. BCM is one of the drivers contributing to enterprise business strategy development. Management explores new technologies and innovative BCM solutions. Innovative processes piloted and incorporated into enterprise BCM program. Formal BCM linkages to performance goals and compensation Policies & Processes Definition: how (i.e. rules of operation) Excellence: consistent & clear One or several Dept/BUs implemented a few self selected components of BCM Active Dept/BUs have formulated policies, standards & practices. No enterprise policy for BCM exists. Dept/BUs share common BCM policies, standards & practices. Business Continuity Charter published for participating Dept/BUs. Enforceable BCM policies, standards, & practices in effect across the enterprise Regular reviews of enterprise BCM policy, standards, and practices. Pro-active executive participation in development of new BCM policy 44
BCMM Assessment Toolkit Sample BCMM Scorecard Scored 10/10/2004 1:0012 1:12 p.m. PM BCMM Scorecard SM Score Score Corporate Competencies 3.8 Leadership 3.3 Employee Awareness 4.0 BC Program Structure 4.2 Program Pervasiveness 3.7 Metrics 4.2 Resource Commitment 3.8 External Coordination BC Program Content 3.6 3.7 Incident Management 4.1 Technical Recovery 4.1 Security Management 3.5 Business Recovery Total Score 3.2 3.8 BCMM SM Scorecard for (Enterprise) 45
BCMM Public Domain Model Access Limits Access to the Public Domain Model:! Open! Controlled Access to the Proprietary Model (Additional Components):! Controlled! Managed by the BC Service Center 46
International Interest Over 3,000 people have viewed our BCMM Public Domain Model from over 40 countries. 47
BCMM Download Users from Countries Australia Saudi Arabia New Zealand Hong Kong Spain Netherlands Venezuela Belgium France Hong Kong United Kingdom Canada Hungary Brazil India Italy China Iceland Poland South Africa Argentina Mexico Philippines United States of America Denmark Czech Republic United Arab Emirates Chile Singapore Malaysia Ukraine Sweden 48
Thank You! Margaret Langsett Executive Vice President Virtual Corporation, Inc. 973-426-1444 Or Manfred Heinzlreiter Managing Partner BR- i.com 416-254-9694 49